Component Type: TYPO3 CMS
Release Date: July 19, 2016
Vulnerable subcomponent: Backend
Vulnerability Type: Information Disclosure
Affected Versions: Versions 6.2.0 to 6.2.25, 7.6.0 to 7.6.9 and 8.0.0 to 8.2.0
Severity: Low
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:P/RL:O/RC:C
CVE: not assigned yet
Problem Description: The TYPO3 backend module stores the username of an authenticated backend user in its cache files. By guessing the file path to the cache files it is possible to receive valid backend usernames.
Solution: Update to TYPO3 versions 6.2.26, 7.6.10 or 8.2.1 that fix the problem described.
Credits: Thanks to Matthias Kappenberg who discovered and reported the issue.
General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note: All security related code changes are tagged so that you can easily look them up on our review system.